Compromised patching may have brought down PCs and TVs last week in S.K.

South Korea's massive data wiping malware that knocked out hundreds of personal computers at TV stations and banks
last week may have been introduced through a combination of compromised corporate patching systems spread across the
country.

Several South Korean financial institutions-- Shinhan Bank, Nonghyup Bank and Jeju Bank and TV broadcaster networks
were all impacted by a destructive virus, since identified as DarkSeoul by Sophos and Jokra Trojan by Symantec, which
deleted all the data on the hard drives, right down to the operating system of infected PCs, preventing them from booting
up upon restart.

Initially, it was believed that the malware spread through local telco LG U+ and may have came from a single Chinese
IP address. The Korea Communications Commission said it was mistaken when it identified an internet address in China as
the source of the mega-attack.

The IP address involved actually belonged to NongHyup Bank, one of the main victims of the assault, suggesting that the
attack could have been an 'inside job'.

Late on Friday afternoon, security appliance firm Fortinet claimed that hackers broke into the servers of an unnamed
but local antivirus company and planted malware which was then distributed as an update patch. Local researchers at Fortinet's
Threat Response Team working with the Korea Information Security Association came up with the theory before notifying news
media about the apparent find.

But later on Friday evening, Guillaume Lovet of Fortinet stated that the security appliance firm no longer stood
by its earlier pronouncement.

By early this morning, things had moved on again with South Korean security software firm AhnLab putting out a release
saying hacked corporate patching systems were to blame for the wide spread of the malware. It also added that its own
security technology wasn't involved in the distribution of the malware, an apparent reference to the premature and since-discredited
theory put up by Fortinet.

It now appears that attackers used stolen user IDs and passwords to launch some of the attacks. The credentials were
used to gain access to individual patch management systems located on the affected networks. Once the attackers had access
to the patch management system, they used it to distribute the malware much like the system distributes new software
and their updates.

Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver
the malicious code.

The latest theory suggests hackers first obtained administrator login to a security vendors' patch management server
via a targeted attack. Armed with the login information, the hackers then created malware on the PMS server that masqueraded as
a normal software update.

This fake update file subsequently infected a large number of PCs all at once, deleting a Master Boot Record on each Windows
PC to prevent it from booting up normally. The malware was designed to activate on March 20 at 2.00 PM, South Korea time.

The speed at which the attack spread had already led security tools firm AlienVault to suggest that the wiper malware
might have been distributed to already compromised clients in a zombie network. AhnLabs suggests that this compromised
network was actually the patching system of the data wiping malware's victims.

However, the prevailing theory remains that North Korea may have instigated the attacks, which follows weeks of heightened
tension on the small peninsula. But there's no hard evidence to support this conclusion. We will keep you posted on this
and other news stories as they develop.

In other internet security news

A very obvious security flaw has been blamed for the compromise and attempted theft of 300 .uk domains managed
by hosting firm in 2012.

Anyone with a hosting package from 123-Reg and an account control panel supplied by that company, simply had to change
the final section of the URL manually (to, for example, /someoneelseswebsite.co.uk) to be able to gain full access to
someone's else emails, FTP credentials, name servers, private information and billing.

With access to the administrative control panel, would-be domain thieves just had to change the contact details for U.K.
registry at Nominet to a new email address and then do a failed password request to have a new password sent to the new
email address, locking the original owner out.

In defense, 123-Reg said it had "worked with our registrars to help them tighten security and prevent a repeat of this
incident."

Both 123-Reg and Nominet say that there was "a query from a registrant" last year that led to Nominet "discovering some
irregularities in registration and renewal patterns".

"As part of Nominet's standard operating procedures they locked the affected domains from any transfer or adjustment
while they investigated further, and with our full support," 123-Reg said in an emailed statement.

Nominet said that its investigations into the issue revealed that "a total of 300 .uk domains had been transferred
over to a new registrant in the post-expiry period without the permission of the original registrant".

"We have terminated our registrar agreement with one registrar," the dot-UK registry said. Neither firm would comment
on how the the security breach had come about or whether the matter had been referred to Britain's Information Commissioner
to investigate in such matters.

Nominet added that it couldn't elaborate any further because "we understand there is an ongoing police investigation
into this issue".

In other internet security news

Critical internet-facing industrial systems controlling crucial equipment used by nuclear power plants, airports,
factories and other sensitive systems are still subjected to sustained attacks within a few hours of appearing online,
according to new research by Trend Micro.

The security vulnerabilities of SCADA (supervisory control and data acquisition) industrial control systems are
numerous, and have been a major focus of interest in information security circles for the last three years or so
thanks to Stuxnet, Duqu, and other similar noteworthy virus attacks.

A security expert has challenged a theory on how the infamous Stuxnet worm, best known for tampering with Iranian
lab equipment, somehow escaped into the internet. New York Times reporter David Sanger wrote what's become the definitive account
of how Stuxnet was jointly developed by a U.S. / Israeli team. The sophisticated malware virus was deployed to sabotage high-speed
centrifuges at Iran's nuclear fuel processing plant by infecting and commandeering the site's control systems.

According to Sanger's sources, an Iranian technician's laptop was plugged into a Stuxnet-sabotaged centrifuge
device and was almost immediately infected by the malfunctioning equipment.

Trend Micro researcher and SCADA security expert Kyle Wilhoit set out to look into this phenomenon in greater depth
by setting up an internet-facing 'honeypot' and record numerous attempted attacks. The honeypot architecture developed
by Wilhoit directly mimics those of real industrial control systems and SCADA devices.

The researcher, who was once the lead incident handler and reverse engineer at a large energy company, focusing
on ICS/SCADA security and persistent threats, created a total of three honeypots. All three were internet-facing and
used three different static IP addresses in different subnets scattered across the United States.

One honeypot featured a programmable logic controller (PLC) system running on a virtual instance of Ubuntu hosted
on Amazon EC2, and configured as a web page that mimics that of a water pressure station. Another honeypot featured
a web server that mimicked a control interface connected to a PLC production system.

The final honeypot was an actual PLC device set up to mimic temperature controller systems in a factory. All three
honeypots included traditional vulnerabilities found across the same or similar systems. Various steps were taken to
make sure the honeypots were easily discovered.

The sites were then optimized for searches and published on Google. The researchers also made sure that that honeypot
settings would be seeded on devices that were part of HD Moore’s Shodan Project, which indexes vulnerable routers,
printers, servers and internet-accessible industrial control systems. Once a search latches onto a vulnerable embedded
device, then Metasploit provides a library of possible attacks, which - as security strategist Josh Corman points out -
can be run without any detailed knowledge or skill.

The Trend Micro security researchers excluded simple port scans and focused on recording anything that might pose
a threat to internet-facing ICS/SCADA systems. This includes unauthorized access to secure areas of sites, attempted
modifications of controllers, or any other attack against a protocol specific to SCADA devices, such as Modbus/TCP.

They also logged any targeted attempt to gain access or take out servers running the system. Various tools including
popular open-source intrusion detection package Snort, honeyd (modified to mimic common SCADA protocols), tcpdump and some
analysis of server log files were used to monitor and record the attacks the honeypots attracted.

The researchers waited less than a day before the attacks began, as Wilhoit explains in a research paper Who’s Really
Attacking Your ICS Equipment? It took only 18 hours to find the first signs of attack on one of the honeypots. While
the honeypots ran and continued to collect attack statistics, the findings concerning the deployments proved disturbing.

The statistics of this report contain data for 28 days with a total of 39 attacks from 14 different countries. Out
of these 39 attacks, 12 were unique and could be classified as “targeted” while 13 were repeated by several of the same
actors over a period of several days and could be considered “targeted” and/or “automated.”

All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same subnet.
The attacks included attempts to spear-phish a site administrator, bids to exploit fundamental ICS protocols and malware
exploitation attempts on the servers running the honeypot environment.

Other attacks included bids to change the CPU fan speed on systems supposedly controlling a water pump and attempts
to harvest systems information. Four samples were collected over the four-week testing period, two of which have not been
seen in the wild.

Trend Micro is currently analyzing these pieces of malware to determine their functionality. As well as looking
at the type of attack getting thrown against the honeypot system, researchers at Trend Micro also looked at the origin
of attempted attacks.

About 34 percent of attacks against the industrial control system honeypot originated in China but one in five (19 percent)
originated in the U.S. Security researchers also discovered that a surprisingly high (12 percent) of attacks against
a honeypot control system they had established came from the southeast Asian nation of Laos.

Wilhoit, presented his research at the BlackHat Europe conference in Amsterdam, the Netherlands last Friday.
“Trend Micro's research reveals that attackers have enough knowledge to analyze and affect industrial control devices'
infrastructures,” said Raimund Genes, CTO at Trend Micro.

“This is an alarming wake-up call for operators of these infrastructures to check the security of these systems
and ensure they are properly separated from the internet/open networks. The research also shows that it is not only
usual suspects attacking, but that these attacks also happen in your own backyard.”

SCADA systems control everything from escalators in metro stations in Madrid to milk-processing factories in Mali
and uranium enrichment centrifuges in Iran.

"Security in an ICS/SCADA network is often considered 'bolt-on' or thought of 'after the fact'. When these systems
were first brought into service more than 20 or so years ago, security was typically not a concern," Wilhoit explains.

"However, as things changed over time, most of these systems’ purposes have been reestablished, along with the way
they were originally configured. A system that used to only be accessible to a single computer next to a conveyor belt
became accessible via the internet, with very little hindrance."

Wilhoit called for further research into motives, sources and delivery techniques of the increasingly sophisticated
attackers who target industrial control systems. "Internet-facing ICS are readily targeted," Wilhoit warns. "Until
proper ICS security is implemented, these types of attack will likely become more prevalent and advanced or destructive
in the coming years."

A recent study by InfraCritical discovered that 500,000 SCADA (supervisory control and data acquisition) networks
were susceptible to attack, highlighting the wide-scale vulnerability of systems that control the operations of power
and water plants, among other critical facilities.

According to recent research conducted by ICS-CERT, 171 unique vulnerabilities affecting 55 different ICS vendors were
found last year alone. And patching of industrial control systems creates its own issues, according to a study by Tofino Security
published last week.

Eric Byres, CTO and vice president of engineering at Tofino Security, says there are as many as 1,805 as-yet-undiscovered
security vulnerabilities existing on control system computers. IC systems need FREQUENT patches, but if they're buggy,
it ALL falls apart.

The frequency of patching needed to address future SCADA/ICS vulnerabilities in both controllers and computers
likely exceeds the tolerance of most SCADA operators for system shutdowns. Unlike IT systems, most industrial processes
operate around the clock and demand high uptime. Weekly shutdowns for patching are unacceptable.

But even when patches can be installed, they can be problematic. According to Tofino Security, there is a one in
12 chance that any patch will affect the safety or reliability of a control system, and there is a 60 percent failure
rate in patches fixing the reported vulnerability in control system products.

Additionally, security patches often require staff with special skills to be present. In many cases, such experts
are often not certified for access to safety regulated industrial sites.

Tofino Security markets industrial network security and SCADA security products that protect industrial control
systems from potential attack, even if they aren't patched, so it has a vested interest in talking up the problems of
patching.

But the overall picture of exposed and vulnerable industrial control systems is constant with findings from experts
at Trend Micro and elsewhere. A SCADA network ought to be segregated from a corporate intranet and air-gapped from
the internet - or at least firewalled - but even the most rudimentary protections are often completely absent.

Sean McGurk, former head of cybersecurity for the U.S. Department of Homeland Security turned managing principal
for investigative response on Verizon’s RISK Team, say that attacks against the enterprise systems behind utilities are
a bigger risk than Stuxnet-style attacks.

The networks of both Saudi Aramco and Rasgas in Qatar were both hobbled by conventional malware attacks last year,
for example. Both attacks were later linked to the Shamoon data wiper. Part of the issue is that industrial control
systems have a far longer timeline than enterprise servers, computers and routers - typically up to 20 years instead of
three to five years.

Additionally, industrial control equipment works with different ports and protocols than conventional enterprise
networks, so simply adding a firewall or network segmentation is adequate as a defensive strategy. In addition, industrial
control systems often have to work in real time, with low latency and high availability.

"But just to set the record straight, the security patching of legacy systems is ongoing," McGurk said. "But patching
is difficult for five-9s high-availability systems. Secure connectivity can only be enhanced with layers of security
but you can't gold-plate everything."

Despite the several difficulties, McGurk suggested that many in the security segment are being slow to react to the
various threats, and that's a real issue. The U.K. energy sector has been particularly slow to adopt security measures
that match new technological developments, such as smart grids - potentially leaving them exposed to large-scale cyber-attacks
as a result.

But he acknowledged that the technology was certainly not without its issues, such as potentially making it easier
to disconnect the vulnerable or elderly, and no panacea.

"Introducing smart-grid technology is a double edged sword," McGurk explained. "Although you can still enhance interoperability,
you can't just throw it in there. There's a greater security focus and it's not just about interoperability anymore," he
concluded.

McGurk added that government and industry need to work together to improve both the security and interoperability
of the industrial control systems that monitor and manage power generation and distribution systems.

McGurk, who has more than thirty years of experience in ICS cybersecurity and critical infrastructure protection,
traveled to London last week to speak at the European Smart Grid Cyber and SCADA Security Conference, a closed event
restricted to industry participants and suppliers.

In other internet security news

James Clapper, Director of National Intelligence told Congress on March 12 that America's biggest national security
threat could come not from bullets or bombs in a terrorist attack, but from computer hackers, located in the U.S. as
well as in other countries.

That's the assessment of a group of the nation's top intelligence officials, who told Congress Tuesday that cyber
attacks lead the numerous national security threats the United States has ever faced in its history.

It's the first time since the Sept. 11, 2001 terrorist attacks that anything other than the an extremist threat
has been the top concern in the Intelligence Community Worldwide Threat Assessment, which is presented annually to the
Senate Select Committee on Intelligence and Security.

Clapper told the panel that cyber and financial threats were being added "to the list of weapons being used against
the United States" and which help define a new "soft" kind of war.

"When it comes to the distinct threat areas, our statement this year leads with cyber and it's hard to overemphasize
its significance" said Clapper.

According to him, state and non-state actors are increasingly gaining "cyber expertise" which they use "to achieve
strategic objectives by gathering sensitive information from public- and private-sector entities, controlling the content
and flow of information, and challenging perceived adversaries in cyberspace."